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DETAILED ACTION 

1 . This correspondence is in response to Amendments and REMARKS filed on April 22, 2008. 

2. Claims 1, 3, 9, 13-15, 21 and 22 are amended; Claims 2, 11, 12 and 20 are cancelled; and 
Claims 23-25 are new. 

3. Claims 1, 3-10, 13-19 and 21-25 are pending. 

Response to Arguments 

4. Applicant's arguments with respect to the pending claims have been considered but are moot in 
view of the new ground(s) of rejection. 

Claim Rejections - 35 USC §103 

5. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1, 3-5, 8-10, 13, 14 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Young et al. (US 7,024,690 B1 - " Young ") in view of Kaufman et al. (US 5,497,421 - " Kaufman "), and 
further in view of Blanco et al. (US 6,539,482 B1 - " Blanco ") 

As per Claim 1 , Young teaches, 

A method for authentication in a network, the method comprising: creating a credential string on a 
portal server [see Client System 220 in FIG.2; and for example, col.4, lines 47-67], the credential string 
being an encrypted hash of a session ID [see FIG. 3; and for example, col. 5, lines 9-19]; and sending a 
UserlD associated with the session ID and the credential string to a software application from the portal 
server [see AP 210 in FIG.2 and FIG. 3; and for example, col. 5, lines 1-8]. 
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Young teaches communicating hashed representation of user identifiers and passwords [see 
FIG. 3 and abstract]; but fails to disclose maintaining the user password on the portal server and avoiding 
exposing the user password to network resources beyond the portal server. However, in the same field of 
endeavor, Kaufman discloses maintaining the user password on the portal server and avoiding exposing 
the user password to network resources beyond the portal server [see for example, FIGS. 3-5 and 
abstract]. 

Therefore, it would have been obvious to a person having ordinary skill in the art, at the time of 
Applicants' invention, to combine the teachings of Young and Kaufman because both are in the fields of 
network authentication system. Incorporating Kaufman's teaching modifies the system of Young in order 
to protect the confidentiality of user's password [see abstract of Kaufman]. 

Young-Kaufman combination teaches confirmation request including the credential string [see for 
example, FIG. 3 of Young and FIGS. 3-5 of Kaufman]; but fails to disclose receiving a confirmation 
request from the software application to an LDAP; and sending a response from the LDAP proxy in reply 
to the confirmation request to validate the credential string to authenticate the UserlD. Nevertheless, 
Blanco teaches receiving a confirmation request from the software application to an LDAP; and sending a 
response from the LDAP proxy in reply to the confirmation request to validate the credential string to 
authenticate the UserlD [see for example, FIG. 2 and abstract]. 

It would have been obvious to a person having ordinary skill in the art, at the time of Applicants' 
invention, to modify Young-Kaufman combination by incorporating Blanco's LDAP, so that users could 
access network service, which includes a directory, remotely or locally [see abstract of Blanco]. 

As per Claim 9 , Young teaches, 

A method for authenticating a user request for a software application, the method comprising: 
receiving a UserlD and a credential string at an authentication proxy server, the credential string being an 
encrypted hash of a session ID, which is created at a portal [see Client System 220 in FIG.2; and for 
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example, col.4, lines 47-67]; and sending a confirmation request from the authentication proxy to the a 
portal [see AP 210 in FIG. 2 and FIG. 3; and for example, col. 5, lines 1-8]. 

Young teaches communicating hashed representation of user identifiers and passwords [see for 
example, FIG. 3 and abstract]; but fails to disclose maintaining the user password on the portal server and 
avoiding exposing the user password to network resources beyond the portal server. However, in the 
same field of endeavor, Kaufman discloses maintaining the user password on the portal server and 
avoiding exposing the user password to network resources beyond the portal server [see for example, 
FIGS. 3-5 and abstract]. 

It would have been obvious to a person having ordinary skill in the art, at the time of Applicants' 
invention, to modify the system of Young by incorporating Kaufman's teaching in order to protect the 
confidentiality of user's password [see abstract of Kaufman]. 

Young-Kaufman combination teaches confirmation request including the credential string [see for 
example, FIG. 3 of Young and FIGS. 3-5 of Kaufman]; but fails to disclose receiving a confirmation 
request from the software application to an LDAP; and sending a response from the LDAP proxy in reply 
to the confirmation request to validate the credential string to authenticate the UserlD. Nevertheless, 
Blanco teaches receiving a confirmation request from the software application to an LDAP; and sending a 
response from the LDAP proxy in reply to the confirmation request to validate the credential string to 
authenticate the UserlD [see for example, FIG. 2 and abstract]. 

It would have been obvious to a person having ordinary skill in the art, at the time of Applicants' 
invention, to modify Young-Kaufman combination by incorporating Blanco's LDAP, so that users could 
remotely or locally access network services [see abstract of Blanco]. 



As per Claim 22 , Young-Kaufman-Blanco combination teaches, 

A computer program product comprising a computer usable medium having readable program 
code embodied in the medium, the computer program product including at least one program code to: 
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create a credential string on a portal server, the credential string being an encrypted hash of a session ID 
[see Client System 220 in FIG. 2; and for example, col.4, lines 47-67 of Young]; 

send a UserlD associated with the session ID and the credential string to a software application 
from the portal server [see AP 210 in FIG. 2 and FIG.3; and for example, col. 5, lines 1-8 of Young], while 
maintaining the user password on the portal server and avoiding exposing the user password to network 
resources beyond the portal server [see for example, FIGS. 3-5 and abstract of Kaufman]: 

the confirmation request including the credential string [see for example, FIG.3 of Young and 
FIGS. 3-5 of Kaufman]; receive a confirmation request from the software application to an LDAP proxy 
while maintaining the user password on the portal server such that the user password is not required to 
authenticate the User ID; and send a response from the LDAP proxy in reply to the confirmation request 
to validate the credential string to authenticate the UserlD [see for example, FIG.2 and abstract of 
Blanco]. 

As per Claim 3 , Young-Kaufman-Blanco combination teaches, 

wherein the encrypted hash of the session ID is a derivate of the session ID [see for example, 
FIG.3 of Young and abstract of Kaufman]. 

As per Claim 4 , Young-Kaufman-Blanco combination teaches, 

performing a lightweight directory access protocol (LDAP) lookup using the UserlD; and 
if the LDAP lookup confirms the UserlD and the response validates the credential string [see for example, 
FIG.2 of Blanco], returning a successful authentication reply to the software application for establishing a 
session associated with the session ID [see for example, Grant Access 112 in FIG.3 of Blanco, 
otherwise sending an unsuccessful authentication reply to the software application [see for example, 
Deny Access 106 in FIG.3 of Blanco]. 



As per Claim 5 , Young-Kaufman-Blanco combination teaches, 



Application/Control Number: 10/791,322 Page 6 

Art Unit: 2139 

wherein the sending of a UserlD and the credential string avoids at least one of sending a user's 
password outside of a portal server and storing the password in persistent memory [see for example, 
FIGS. 3-5 and abstract of Kaufman]. 

As per Claim 8 , Young-Kaufman-Blanco combination teaches, 

wherein the receiving step and sending a response step is performed by an authentication proxy 
[see for example, AP 210 of Young; LOGIN AGENT (LA) NODE 26 of Kaufman; and LDAP Client of 
Blanco]. 

As per Claim 10 , Young-Kaufman-Blanco combination teaches, 

providing a confirmation to the software application if the response is affirmative and the UserlD is 
authenticated by the LDAP lookup [see for example, FIGS. 2 and 3 of Blanco]. 

As per Claim 13 , Young-Kaufman-Blanco combination teaches, 

validating the confirmation request by assuring that the credential string has been received only 
once for confirmation at the portal, otherwise, if presented more than once, performing at least one of 
initiating a security breach procedure and notifying a software application proxy [see for example, FIGS.2 
and 3 - where Blanco discloses credential single receiving]. 

As per Claim 14 , Young-Kaufman-Blanco combination teaches, 

receiving the UserlD and the user password during a logon to the portal, wherein the UserlD is 
validated in the validating step and the user password is maintained at the portal and used to process the 
confirmation request [see for example, FIGS. 3-5 and abstract of Kaufman]. 

Claims 6, 7, 15, 19 and 23-25 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
" Young " in view of " Kaufman ", and further in view of Wenisch et al. (US 7,100,054 B2 - " Wenisch ") 



Application/Control Number: 10/791,322 Page 7 

Art Unit: 2139 

As per Claim 15 , Young teaches, 

A system for authenticating a session stored on a computer readable storage medium, 
comprising computer readable program code, comprising: an authentication proxy which receives 
requests to authenticate a UserlD and a credential string [see LOGIN AGENT (LA) NODE in FIG. 2 of 
Kaufman], the credential string being an encrypted hash of a session ID and created on a portal [see 
Client System 220 in FIG.2; and for example, col.4, lines 47-67 of Young]. 

Young teaches a credential string validation component which receives requests to validate the 
credential string [see FIG. 3]; but fails to disclose maintaining a user password on the portal such that the 
user password is not required to validate the credential string, and avoiding exposing the user password 
to network resources beyond the portal. However, Kaufman teaches maintaining a user password on the 
portal such that the user password is not required to validate the credential string, and avoiding exposing 
the user password to network resources beyond the portal [see FIGS. 3-5 and abstract of Kaufman]. 

It would have been obvious to a person having ordinary skill in the art, at the time of Applicants' 
invention, to modify the system of Young by incorporating Kaufman's teaching in order to protect the 
confidentiality of user's password [see abstract of Kaufman]. 

Young-Kaufman combination fails to teach wherein the credential string validation component 
checks whether the credential string has been previously received for validation within a predetermined 
time period; however, in the same field of endeavor, Wenisch teaches wherein the credential string 
validation component checks whether the credential string has been previously received for validation 
within a predetermined time period [see for example, FIG.2; and for example, col.4, lines 25-35]. 

Therefore, it would have been obvious to a person having ordinary skill in the art, at the time of 
Applicants' invention, to modify Young-Kaufman combination by incorporating the teachings of Wenisch 
in order to protect the network from repetitive attack. 

As per Claims 6 and 7 , Young-Kaufman-Wenisch combination teaches, 
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sending the UserlD associated with the session ID and the credential string to a software 
application proxy [see FIGS. 3 and 3-5 of Young and Kaufman respectively. See also FIG. 2 of Blanco]; 
checking whether the session ID and the credential string have been previously received within a 
predetermined time period; and if affirmative, initiating a security breach procedure; and wherein the 
security breach procedure causes the termination of any session associated with the UserlD [see FIG. 2; 
and for example, col. 4, lines 25-35 of Wenisch]. 

As per Claims 19 and 23 , Young-Kaufman-Wenisch combination teaches, 
a software application proxy which receives the UserlD and the credential string and detects 
whether the UserlD and the credential string have been previously received within a predetermined time 
period; and wherein the UserlD and the credential string are sent to a software application when the 
predetermined time period has elapsed [see FIG. 2; and for example, col. 4, lines 25-35 of Wenisch]. 

As per Claims 24 and 25 , Young-Kaufman-Wenisch combination teaches, 
wherein a network security breach is initiated when a second request to validate the credential 
string occurs within the predetermined time period of a first request to validate the credential string [see 
FIG.2; and for example, col. 4, lines 25-35 of Wenisch]; and wherein the portal is configured to accept a 
logon by a user and create the credential string from an associated session ID [see for example, FIG. 3 of 
Young and abstract of Kaufman]. 

Claims 16-18 and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over " Young- 
Kaufman-Wenisch " combination, and further in view of " Blanco " 



As per Claims 16-18 , Young-Kaufman-Wenisch combination teaches, 
wherein the authentication proxy receives the UserlD and credential string from a software 
application [see FIGS. 3 and 3-5 of Young and Kaufman respectively]. 
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Blanco discloses wherein the authentication proxy performs lightweight directory access protocol 
(LDAP) lookups using the UserlD and sends the credential string to the credential string validation 
component and receives a validation reply [see for example, FIG.2]; wherein the authentication proxy 
sends an affirmative authentication reply to a software application when both the LDAP lookup is 
successful and the validation reply indicates a valid credential string [see for example, FIG. 3]. 

As per Claim 21 , Young-Kaufman-Wenisch-Blanco combination teaches, 

a lightweight directory access protocol (LDAP) directory for authenticating the UserlDs and which 
is accessible by the authentication proxy [see for example, FIGS. 2 and 3 of Blanco]; and a software 
application proxy for intercepting the UserlD and the credential string sent by the portal for monitoring 
duplicate occurrences of the UserlD and the credential string [see FIGS. 3 and 3-5 of Young and 
Kaufman respectively. See also FIG.2 of Blanco]. 

Conclusion 

6. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to AMARE TABOR whose telephone number is (571)270-3155. The examiner can normally 
be reached on Mon-Fri 8:00a.m. to 5:00p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 



Amare Tabor 
(AU2139) 

/Kristine Kincaid/ 

Supervisory Patent Examiner, Art Unit 2139 



